AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add mbedtls_ssl_conf_cert_profile()

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2015-06-17 10:58:20 +02:00
parent cbb1f6e5cb
commit 6e3ee3ad43
2 changed files with 27 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
include/mbedtls/ssl.h
View File

@ -529,6 +529,7 @@ struct mbedtls_ssl_config
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */ #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)
const mbedtls_x509_crt_profile *cert_profile; /*!< verification profile */
mbedtls_ssl_key_cert *key_cert; /*!< own certificate/key pair(s) */ mbedtls_ssl_key_cert *key_cert; /*!< own certificate/key pair(s) */
mbedtls_x509_crt *ca_chain; /*!< trusted CAs */ mbedtls_x509_crt *ca_chain; /*!< trusted CAs */
mbedtls_x509_crl *ca_crl; /*!< trusted CAs CRLs */ mbedtls_x509_crl *ca_crl; /*!< trusted CAs CRLs */
@ -1351,6 +1352,15 @@ void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
int major, int minor ); int major, int minor );
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)
/**
* \brief Set the X.509 security profile used for verification
*
* \param conf SSL configuration
* \param profile Profile to use
*/
void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
mbedtls_x509_crt_profile *profile );
/** /**
* \brief Set the data required to verify peer certificate * \brief Set the data required to verify peer certificate
* *

21
library/ssl_tls.c
View File

@ -4064,10 +4064,13 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
/* /*
* Main check: verify certificate * Main check: verify certificate
*/ */
ret = mbedtls_x509_crt_verify( ssl->session_negotiate->peer_cert, ret = mbedtls_x509_crt_verify_with_profile(
ca_chain, ca_crl, ssl->hostname, ssl->session_negotiate->peer_cert,
&ssl->session_negotiate->verify_result, ca_chain, ca_crl,
ssl->conf->f_vrfy, ssl->conf->p_vrfy ); ssl->conf->cert_profile,
ssl->hostname,
&ssl->session_negotiate->verify_result,
ssl->conf->f_vrfy, ssl->conf->p_vrfy );
if( ret != 0 ) if( ret != 0 )
{ {
@ -5292,6 +5295,12 @@ void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
} }
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)
void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
mbedtls_x509_crt_profile *profile )
{
conf->cert_profile = profile;
}
/* Append a new keycert entry to a (possibly empty) list */ /* Append a new keycert entry to a (possibly empty) list */
static int ssl_append_key_cert( mbedtls_ssl_key_cert **head, static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
mbedtls_x509_crt *cert, mbedtls_x509_crt *cert,
@ -6636,6 +6645,10 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
mbedtls_ssl_list_ciphersuites(); mbedtls_ssl_list_ciphersuites();
#if defined(MBEDTLS_X509_CRT_PARSE_C)
conf->cert_profile = &mbedtls_x509_crt_profile_default;
#endif
#if defined(MBEDTLS_ARC4_C) #if defined(MBEDTLS_ARC4_C)
conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED; conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED;
#endif #endif